If you are concerned about other users of your system having access to your files, there has been a simple way to encrypt files and folders in every version of Windows since XP called Encrypted File Service (EFS). We will show you how to apply EFS to your files and folders.

NOTE: Files and folders you encrypt using EFS can only be decrypted using the Windows login that encrypted the file. Other users on the system will be able to see the files but will

not be able to open them, even if they are running as administrator. That means that you also need to be careful you do not forget your login, or you will be locked out of your own files.

http://technet.microsoft.com/en-us/library/bb457007.aspx How to Share Files Using Encrypting File System

This article describes how to share files using EFS, and is intended to assist system architects and administrators in developing best practices for creating data recovery and data protection strategies using Windows XP.

In Windows XP, EFS supports file sharing between multiple users on a single file. This provides an opportunity for data recovery by adding additional users to an encrypted file. Although the use of additional users cannot be enforced through policy or other means, it is a useful and easy method for enabling recovery of encrypted files by multiple users without

actually using groups, and without sharing private keys between users.

Once a file has been initially encrypted, file sharing is enabled through a new button in the user interface (UI). A file must be encrypted first and then saved before additional users may be added. After selecting the Advanced Properties of an encrypted file, a user may be added by selecting the Details button. Individual users may add other users (not groups) from the local machine or from the Active Directory, provided the user has a valid certificate for EFS.

To add users

Click the Add button as shown in Figure 2 below.

Figure 2. Adding users

A new dialog box will be presented showing the existing users and certificates that are cached in the quot;Other Peoplequot; certificate store of the local machine. It will also allow new users to be added from the Active Directory by clicking the Find User button.

Note A user must have a valid EFS certificate in the Active Directory to be added.

Click the Find User button to find new users as shown in Figure 3 below.

Figure 3. Finding new users from Active Directory

The standard object picker dialog box will be displayed and a search will be conducted.

Question No: 102 – (Topic 2)

A company has a Windows 8.1 client computer with secure boot enabled. You install a third-party adapter with an Option ROM in the computer.

When you start the computer, it starts in the Windows Recovery Environment (Windows RE).

You need to ensure that the computer starts normally. What should you do?

Configure a system boot password from the system BIOS.

Disable C-State configuration from the system BIOS.

Replace the third-party adapter with an adapter that is signed by a trusted Certificate

Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.

When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.

Frequently asked questions:

Q: What happens if my new hardware isn’t trusted? A:

Your PC may not be able to boot. There are two kinds of problems that can occur:

The firmware may not trust the operating system, option ROM, driver, or app because it is not trusted by the Secure Boot database.

Some hardware requires kernel-mode drivers that must be signed. Note: many older 32-bit (x86) drivers are not signed, because kernel-mode driver signing is a recent requirement for Secure Boot.

Q: How can I add hardware or run software or operating systems that haven’t been trusted by my manufacturer?

A:

You can check for software updates from Microsoft and/or the PC manufacturer.

You can contact your manufacturer to request new hardware or software to be added to the Secure Boot database.

For most PCs, you can disable Secure Boot through the PC’s BIOS.

Q: How do I edit my PC’s Secure Boot database? A: This can only be done by the PC manufacturer.

Question No: 103 – (Topic 2)

You administer Windows 8.1 Pro computers in your company network.

A user named User1 encrypts a sensitive file named file.txt by using Encrypting file systems (EFS) A user named User2 must be able to read file.txt.

You need to configure unencrypted read access to file.txt for User2 What should you do?

If you are concerned about other users of your system having access to your files, there has been a simple way to encrypt files and folders in every version of Windows since XP called Encrypted File Service (EFS). We will show you how to apply EFS to your files and folders.

NOTE: Files and folders you encrypt using EFS can only be decrypted using the Windows login that encrypted the file. Other users on the system will be able to see the files but will not be able to open them, even if they are running as administrator. That means that you also need to be careful you do not forget your login, or you will be locked out of your own

files.

http://technet.microsoft.com/en-us/library/bb457007.aspx How to Share Files Using Encrypting File System

This article describes how to share files using EFS, and is intended to assist system architects and administrators in developing best practices for creating data recovery and data protection strategies using Windows XP.

In Windows XP, EFS supports file sharing between multiple users on a single file. This provides an opportunity for data recovery by adding additional users to an encrypted file. Although the use of additional users cannot be enforced through policy or other means, it is a useful and easy method for enabling recovery of encrypted files by multiple users without actually using groups, and without sharing private keys between users.

Once a file has been initially encrypted, file sharing is enabled through a new button in the user interface (UI). A file must be encrypted first and then saved before additional users may be added. After selecting the Advanced Properties of an encrypted file, a user may be added by selecting the Details button. Individual users may add other users (not groups) from the local machine or from the Active Directory, provided the user has a valid certificate for EFS.

To add users

Click the Add button as shown in Figure 2 below.

Figure 2. Adding users

A new dialog box will be presented showing the existing users and certificates that are cached in the quot;Other Peoplequot; certificate store of the local machine. It will also allow new users to be added from the Active Directory by clicking the Find User button.

Note A user must have a valid EFS certificate in the Active Directory to be added.

Click the Find User button to find new users as shown in Figure 3 below.

Figure 3. Finding new users from Active Directory

The standard object picker dialog box will be displayed and a search will be conducted.

Question No: 104 – (Topic 2)

A company has client computers that run Windows 8.1. The client computers are in a workgroup. Windows Remote Management (WinRM) is configured on all computers.

You need to configure a computer named COMPUTER1 to retrieve Windows event logs from all other computers in the workgroup.

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

Start the Windows Event Collector service on COMPUTER1.

Add machine accounts of all other computers to the Event Log Readers local group on COMPUTER1.

Start the Windows Event Log service on all computers other than COMPUTER1.

Create and configure a source computer-initiated subscription.

Add the COMPUTER1 machine account to the Event Log Readers local group on all computers.

Start the Windows Event Collector service on all computers other than COMPUTER1.

The only basic rules are that the source machine should have Winrm2 installed and running on it, and the Event Collector Service should be running on the collector machine. There are two methods available to complete this challenge – collector initiated and source initiated.

Collector Initiated

When defining such a subscription, you instruct the collector to open a WinRM session to the source machine(s) using a specified set of credentials (or the computer account) and ask for a subscription.

Further Information:

For best management we want a collector-initiated subscription-meaning we#39;ll be setting up the subscription at the collecting computer instead of at each individual computer. The Windows Event Collector service is requested for subscriptions to work on the computer doing the collecting.

The collecting computer must be a member of the Event Log Readers local group on all computer in order to be able to read the event log.

You can subscribe to receive and store events on a local computer (event collector) that are forwarded from a remote computer (event source).

The following list describes the types of event subscriptions:

Source-initiated subscriptions: allows you to define an event subscription on an event collector computer without defining the event source computers. Multiple remote event source computers can then be set up (using a group policy setting) to forward events to the event collector computer. This subscription type is useful when you do not know or you do not want to specify all the event sources computers that will forward events.

Collector-initiated subscriptions: allows you to create an event subscription if you know all the event source computers that will forward events. You specify all the event sources at the time the subscription is created.

You can subscribe to receive events on a local computer (the event collector) that are forwarded from remote computers (the event sources) by using a collector-initiated subscription. In a collector-initiated subscription, the subscription must contain a list of all the event sources. Before a collector computer can subscribe to events and a remote event source can forward events, both computers must be configured for event collecting and forwarding.

Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source).

In a workgroup environment, you can follow the same basic procedure described above to configure computers to forward and collect events. However, there are some additional steps and considerations for workgroups:

You can only use Normal mode (Pull) subscriptions.

You must add a Windows Firewall exception for Remote Event Log Management on each source computer.

You must add an account with administrator privileges to the Event Log Readers group on each source computer. You must specify this account in the Configure Advanced Subscription Settings dialog when creating a subscription on the collector computer.

Type winrm set winrm/config/client @{TrustedHosts=quot;lt;sourcesgt;quot;} at a command prompt on the collector computer to allow all of the source computers to use NTLM authentication when communicating with WinRM on the collector computer. Run this command only once.

This policy setting is used to control which unlock options are available for operating system drives.

With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:

only the TPM for authentication

insertion of a USB flash drive containing the startup key

the entry of a 4-digit to 20-digit personal identification number (PIN) a combination of the PIN and the USB flash drive

There are a few things you’ll need to note when configuring these settings in Group Policy for your Active Directory.

Second, make sure you get the “Require additional authentication at startup” setting correct under “Operating system drives.” Make sure that “Allow BitLocker without a compatible TPM” is unchecked and that you’re not requiring more than one startup option. This is how it should look:

“Allow Secure Boot for integrity validation” allows you to configure the use of Secure Boot on computers that have UEFI firmware. More specifically, it lets you disable it since the default is to use Secure Boot when it is available on a computer. In the event you do disable it, you can configure the “use enhanced Boot Configuration Data validation profile” to choose specific BCD settings to verify.

Question No: 106 – (Topic 2)

You change settings on a reference computer by using the Windows Firewall with Advanced Security tool. You want to apply the same settings to other computers.

You need to save the Windows Firewall with Advanced Security configuration settings from the reference computer. You also need to be able to import the configuration settings into a Group Policy object later.

What should you do?

Run the netshadvfirewall export c:\settings.xrnl command.

Run the netshadvfirewall export c:\settings.txt command.

Run the netshadvfirewall export c:\settinqs.wfw command.

Run the netsh firewall export c:\settings.xml command.

Answer: C

Explanation: * Netshadvfirewall is a command-line tool for Windows Firewall with Advanced Security that helps with the creation, administration, and monitoring of Windows Firewall and IPsec settings and provides an alternative to console-based management. T

Export subcommand

Exports the Windows Firewall with Advanced Security configuration in the current store to a file. This file can be used with the import command to restore the Windows Firewall with Advanced Security service configuration to a store on the same or to a different computer.

Syntax

export [ Path ] FileName

Parameters

[ Path ] FileName

Required. Specifies, by name, the file where the Windows Firewall with Advanced Security configuration will be written. If the path, file name, or both contain spaces, quotation marks must be used. If you do not specify Path then the command places the file in your current folder. The recommended file name extension is .wfw.

Example

In the following example, the command exports the complete Windows Firewall with Advanced Security service configuration to the file C:\temp\wfas.wfw.

export c:\temp\wfas.wfw

Reference: Netsh Commands for Windows Firewall with Advanced Security

Question No: 107 – (Topic 2)

A company has client computers that run Windows 8.1. You set up new virtual private

network (VPN) connections on all client computers. The VPN connections require the use of a smart card for authentication.

Users are unable to connect to the corporate network by using the VPN connections. The connection properties are configured as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that the client computers can connect to the corporate network. What should you do?

Enable Challenge Handshake Authentication Protocol (CHAP).

Change the VPN type to IKEv2.

In the advanced settings, select Use preshared key for authentication.

Change the authentication setting to Use Extensible Authentication Protocol (EAP).

EAP can be used to provide an added layer of security to VPN technologies such as Point- to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). EAP enables this functionality through Certificate Authority (CA) and SmartCard technologies, which provide mutual authentication of the client and the server.

The use of smart cards for user authentication is the strongest form of authentication in the Windows Server 2003 family. For remote access VPN connections, you must use Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS).

Question No: 108 – (Topic 2)

A company has client computers that run Windows 8.1.

When a user tries to print from his portable client computer while connected to the corporate network, he discovers that the default printer is set to his home printer instead of to the office printer.

You need to ensure that the default printer for the computer is the office printer when the computer is connected to the corporate network and the user’s home printer when the computer is connected to his home network.

What should you do on the portable computer?

In the printer properties of the corporate printer, configure the active port with the correct TCP/IP settings for the printer.

Install the corporate printer and set it as the default printer. Then add the home printer to the homegroup settings.

Connect to the home network and choose Connect from the shared printer object context menu. Then connect to the corporate network and choose Connect from the shared printer object context menu.

Location-aware printing is not a new feature, it existed already in Windows 7, it works that your default printer follows you, so at work you can have one default printer and another at home without manually switching.

Just click on an installed printer in control panel and select Manage default printers.

Be sure Change my default printer when I change Networks is selected and then manage per network which printer you want to be default.

Location-Aware Printing is dependent upon the Network List Service and the Network Location Awareness service. If either one of these services are stopped or malfunctioning, then Windows will not be able to detect network changes and may not switch default printers as expected

Question No: 109 – (Topic 2)

You are troubleshooting a computer that runs Windows 8.1. The computer is not joined to a

domain.

You are unable to change any of the advanced Internet options, which are shown in the Advanced Internet Options exhibit. (Click the Exhibit button.)

You need to ensure that you can change the advanced Internet options. Which tool should you use?

Credential Manager

Authorization Manager

Group Policy Object Editor

Ease of Access Center

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc731745.aspx Open the Local Group Policy Editor

Group Policy provides a secure way to control Microsoft庐 Windows庐 Internet Explorer庐 9 configurations.

Question No: 110 – (Topic 2)

A company has an Active Directory Domain Services (AD DS) domain. The company has 100 client computers and tablets that run Windows 8.1. Each user has a unique local user account on each device he or she uses.

The company wants to simplify the logon process for atl users. You have the following requirements:

->Reduce the number of unique user accounts for each user.

->Unify the initial Windows 8.1 theme across all Windows 8.1 devices.

->Ensure that Windows Store apps maintain the last used state across all Windows

8.1 devices.

You need to configure an authentication method that meets the requirements. Which authentication method should you configure?

While Windows 8 has a lot of cool features to entice users, arguable the coolest is Account sync. For those who choose to log in to their Windows 8 devices with a Microsoft account, Windows 8 can synchronize a ton of information from one device to the next. You can choose to sync everything from basic settings to themes and wallpapers. Windows 8.1 users can even sync modern applications between accounts.

You can connect your Microsoft account to your domain account and sync your settings and preferences between them. For example, if you use a domain account in the workplace, you can connect your Microsoft account to it and see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings that you see on your home PC. You#39;ll also be able to use Microsoft account services from your domain PC without signing in to them individually.